IETF Logo Mail Archive

Re: [sacm] [Rats] CoSWID and EAT and CWT

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 27 November 2019 17:18 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04321120A4F; Wed, 27 Nov 2019 09:18:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9qxI9aol5hh; Wed, 27 Nov 2019 09:18:52 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BDAA120979; Wed, 27 Nov 2019 09:18:51 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xARHIlW0018081 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 27 Nov 2019 18:18:48 +0100
Received: from [192.168.178.8] (134.102.43.219) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Wed, 27 Nov 2019 18:18:42 +0100
To: Thomas Fossati <Thomas.Fossati@arm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Laurence Lundblade <lgl@island-resort.com>, "sacm@ietf.org" <sacm@ietf.org>, "rats@ietf.org" <rats@ietf.org>
References: <2A12D8A3-722A-44D1-8011-218C89C8B50B@island-resort.com> <VI1PR08MB5360236E3583EBD3A78085EDFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com> <b5bca8a7-7e7c-4432-a1be-6cf1fc21c352@sit.fraunhofer.de> <05D67FD7-B95E-4716-B844-2F2F3A09030F@arm.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <fba872b3-e326-ea54-8253-fccaa74a06fc@sit.fraunhofer.de>
Date: Wed, 27 Nov 2019 18:18:41 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <05D67FD7-B95E-4716-B844-2F2F3A09030F@arm.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.43.219]
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/0p7rpR54KKN39t9tLn1sAwlYO4Y>
Subject: Re: [sacm] [Rats] CoSWID and EAT and CWT
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 17:18:55 -0000

Hello Thomas,

we have a coswid extension in the queue that allows for the inclusion of 
hash-entries to very kind of resource-collection type (and also 12-14 
additional indexes, I think, that allow for the creation of Reference 
Integrity Manifests, including hashes for running processes). But this 
will not be submitted this year anymore, I am afraid. Very early next year!

You were not looking at the wrong place, it simply is not there yet, 
because the inclusion of hash-entries is done via "any attributes" in 
ISO XML SWIDs and NISTIR 8060 is focusing on files (not 
filesystem-items, which would include directories).

But we are very aware of that and will remediate that very soon (aka the 
CDDL is already written and passed multi-peer internal review).

It will be less of a "magic firmware recipe", though. If there is 
interest, we can increase the detail about how to reference and locate 
SUIT manifest content (the CDDL unpack operator can help with that, 
therefore retaining the semantic relationship with the SUIT manifest 
however you want to use it).

Viele Grüße,

Henk

On 27.11.19 17:59, Thomas Fossati wrote:
> Hi Henk
> 
> Thanks very much for your input.
> 
> On 27/11/2019, 13:24, "Henk Birkholz" <henk.birkholz@sit.fraunhofer.de> wrote:
>> yes there are ways to deal with firmware in SWID, namely the resource
>> type (index 19) in the set of SWID resource-collection [1] in
>> combination with the rel type (index 40) entries.
>>
>> This way, you would not have to use filesystem-items, but this way is
>> also a bit clunky and would require an informational guidance document
>> describing how to use *SWID for that.
> 
> That's interesting because initially I also tried to use the resource
> type -- which looked like the less wrong among all the available types
> in the resource collection.  However it wasn't clear to me how to
> associate a checksum to the component, hence I went for the
> filesystem-item.  Maybe I was just looking in the wrong place or maybe,
> as you say, there's a magic firmware recipe that's worth documenting
> here.
> 
>> There are some quite smart ways to do that actually with
>> filesystem-items, but I think it is more feasible to use a SUIT
>> manifest here to describe everything relevant to the "firmware thingy"
>> and then put a CoSWID into the SUIT manifest's outer wrapper [2] that
>> then represents the rest of the semantics that is not covered by the
>> manifest but by CoSWID. This method is fine, as the COSE envelope
>> around the EAT will make tempering with the outer wrapper of the SUIT
>> Manifest evident.
>>
>> I think that is a more elegant way to do it, actually, and the reason
>> why issue #46 in the EAT repo proposes to define a Claim to include a
>> SUIT Manifest in an EAT, too.
> 
> I'll look into this, thanks for the pointer.
> 
> Stepping back for a second and looking from the perspective of my
> immediate requirement (i.e., "Is it possible to translate PSA's software
> component claim using purely EAT constructs?"), ideally I'd like to have
> something that is expressive enough to encode my semantics (i.e.: SW
> component name, version, signer and measurement) without being overly
> complex.

Your examples look very close to the CoSWID as RIM, maybe the gaps to 
fill here in order to represent "filesystem-less" firmware is in fact 
relatively small. We will submit the CoSWID RIM part in a few weeks and 
will get some feedback on that (e.g. hash-entries for resources).

> 
> So my knee-jerk reaction is if that implies pulling a dependency on
> SUIT maybe it's a bit too much?  But I confess haven't yet looked at
> the details of your proposal nor I can claim enough SUIT-foo to really
> grok the complexity involved.  As said, I'll have a look shortly.

The SUIT manifest can look very complex (CDDL-wise), but please keep in 
mind that most members (content items) are optional, so an actual 
instance of SUIT manifest can be quite... concise :) While I see the 
point in doing it "all in one thing" the SUIT manifest is an excellent 
representation for what is needed in updating small and big or cloudy 
things and redundant semantics in data formats often create 
corresponding friction in semantic interoperability later on (iotdir hat 
on opinion). So my first reaction is to combine the functionality of 
both and not to recreate the functionality redundantly on each side.

> 
> cheers!
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Viele Grüße,

Henk

v2.23.0 | Report a Bug | By Email